SAP S/4HANA, the core ERP product from SAP, is a complex solution. With more than 300 million lines of code, and a broad variety of modules and components, it’s not only very powerful – it can also be overwhelming to find the settings and features you need. This is also true for security.
This blog post provides you with some important links to gain more insight into how we at SAP secure SAP S/4HANA, what features and tools are relevant to security and which technology is used with SAP S/4HANA.
At SAP, we have a dedicated approach to security, as well as three main pillars supporting this strategy. For more information, check out this presentation.
Analogue to this approach, the security for SAP S/4HANA also builds upon these three main pillars, and for this blog post, we’d like to go into more details. Some of these details are related to our SAP S/4HANA Cloud solutions, namely SAP S/4HANA Cloud, private edition and SAP S/4HANA Cloud, public edition. Others, of course, are valid for all deployment models, including SAP S/4HANA on premise.
Build Securely
Let’s dive right into it and start at the beginning: Build Securely
And building a secure solution starts with software development.
For an overview of how we integrate security into our software development lifecycle, refer to “The Secure Software Development Lifecycle at SAP”
For SAP S/4HANA, we have also described some of the instruments and concepts we use in our software development in a series of blog posts:
Application Security Testing for SAP S/4HANA
A behind the scenes look into the Bug Bounty Program for SAP S/4HANA
The importance of Threat Modeling for SAP S/4HANA
Security Measures, Features and Functions
Build Securely not only refers to the process of developing SAP S/4HANA securely, it also incorporates the security and compliance of the solution itself. Ranging from security measures built right into the software, to security features and functions. And let’s not forget data protection and privacy.
In a solution as complex as SAP S/4HANA, those are broad topics and nothing we can cover in just one blog post. Instead, we’ll focus on two things: how you as a customer can secure your solution and where to find more information about the security of SAP S/4HANA and it’s various deployment options.
One of the features which can be influenced, regardless of the deployment option, is
the Content Security Policy (CSP). My colleague Marc Röder has written a few interesting articles on this:
Content Security Policy: when SAP S/4HANA cares like a mother
For SAP S/4HANA Cloud Public Edition:
CSPs in SAP S/4HANA Cloud Public Edition
For SAP S/4HANA Cloud Private Edition:
Maintaining CSPs in SAP S/4HANA Cloud Private Edition
Shared Responsibilities
For an on-premise deployment, there is a very extensive Security Guide. This security guide is, in essence, also valid for SAP S/4HANA Cloud, private edition. However, as with all of our cloud solutions, there is a shared responsibility – some security measures are within the realm of the customers, others lie within our responsibility as the cloud solution provider. For SAP S/4HANA Cloud, private edition, roles and responsibilities are detailed in this document.
Our Cloud ERP option – SAP S/4HANA Cloud, public edition - is a true SaaS solution. Therefore, as a customer, you don’t really have to worry about most security settings. Nevertheless, there are things you should know about how to protect your SAP S/4HANA Cloud, public edition. This document includes a detailed description of most of our security settings, but also some security recommendations wherever those settings are within your responsibility of a customer.
For those who are interested in some more details focused on the cloud operations, I can recommend a few blog posts highlighting those:
Securing RISE with SAP
Securing GROW with SAP
Comparing the Security of SAP S/4HANA Cloud, private edition Vs SAP S/4HANA Cloud, public edition
The shared responsibilities in a cloud solution also mean, that the major part for securing operations lies with the cloud provider – SAP in this case. And with the ongoing transformation to the cloud, and especially to SAP S/4HANA Cloud, this is also where the majority of questions arise – and where we have a comprehensive set of documents to answer almost any question. In “My Trust Center” you will find extensive documentation to how we secure our cloud operations, covering a broad range of topics, from encryption to threat management to disaster recovery and backup. You will have to have an SAP account to access “My Trust Center” .
SAP’s cloud operations security
The documents available in My Trust Center explain our general approach to different topics. But for all of our solutions you will also find some more specific documentation. These are available in the “Trust Center” (without the “my”, you also don’t need an account to access this Trust Center).
First and foremost, our security measure are certified against various industry standards or, where a certification is not possible, follow these standards.
The most important document(s) in this context are probably the System and Organization Controls (SOC) reports. Especially the SOC 2 reports give insights into the control system relevant to security, availability, processing integrity, confidentiality, or privacy of data. You can find the SOC 2 reports for all of our solution, including the different deployment models for SAP S/4HANA Cloud here:
https://www.sap.com/about/trust-center/certification-compliance/compliance-finder.html?tag=complianc...
Secondly, our processes and solutions are certified against several ISO standards, ranging from quality management (ISO9001) to security management (ISO27001). The respective certifications are available here:
https://www.sap.com/about/trust-center/certification-compliance.html#active_tab_item_1613506554008
Beyond certifications, there are other helpful documents giving our customers transparency about security and surrounding topics. Here are a few answers to questions we receive often:
How do we go about our Backup and Disaster Recovery for SAP S/4HANA Cloud, public edition?
Can I, as a customer, save a local copy of my data? With Customer Data Return you can.
What about the underlying database, i.e. SAP HANA Security?
Can access to SAP S/4HANA Cloud be restricted to, for example, certain IP ranges?
We were speaking of shared responsibilities earlier. SAP S/4HANA Cloud utilizes some additional solutions of SAP to deliver its full potential – our Identity Services to authenticate against our Cloud ERP, for example, or BTP for specific process apps. Not to forget some of the specialized solutions we offer to increase the security of our solutions. Here’s some information on the security of those solutions as well.
SAP S/4HANA Cloud, Public Edition Identity Access Management – Your Knowledge Base
A Single Sign-On Guide for SAP S/4HANA Cloud, Private Edition (RISE with SAP)
Security for SAP Business Technology Platform
SAP Solutions for Cyber Security and Data Protection
I’d like to mention another related important topic: auditability. Auditors have been used to auditing SAP ERP systems in the past, and have created guidelines for doing so – the audit guideline by the German SAP User Group (DSAG) is a great example.
However, when auditing SAP S/4HANA Cloud, public edition, a different approach has to be taken, owing to the shared responsibility model mentioned earlier. In co-operation with auditing company Deloitte, SAP has created an extensive guide, available in a series of blog posts.
